From: Dave Chinner <david@fromorbit.com>
To: Ben Myers <bpm@sgi.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>,
Jeff Liu <jeff.liu@oracle.com>, Alex Elder <elder@kernel.org>,
kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org,
xfs@oss.sgi.com
Subject: Re: [patch] xfs: check for underflow in xfs_iformat_fork()
Date: Fri, 16 Aug 2013 08:26:50 +1000 [thread overview]
Message-ID: <20130815222650.GX6023@dastard> (raw)
In-Reply-To: <20130815143706.GI7153@sgi.com>
On Thu, Aug 15, 2013 at 09:37:06AM -0500, Ben Myers wrote:
> Hey Dan & Jeff,
>
> On Thu, Aug 15, 2013 at 06:10:43PM +0800, Jeff Liu wrote:
> > On 08/15/2013 01:53 PM, Dan Carpenter wrote:
> >
> > > The "di_size" variable comes from the disk and it's a signed 64 bit.
> > > We check the upper limit but we should check for negative numbers as
> > > well.
> > >
> > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > >
> > > diff --git a/fs/xfs/xfs_inode_fork.c b/fs/xfs/xfs_inode_fork.c
> > > index 123971b..849fc70 100644
> > > --- a/fs/xfs/xfs_inode_fork.c
> > > +++ b/fs/xfs/xfs_inode_fork.c
> > > @@ -167,7 +167,8 @@ xfs_iformat_fork(
> > > }
> > >
> > > di_size = be64_to_cpu(dip->di_size);
> > > - if (unlikely(di_size > XFS_DFORK_DSIZE(dip, ip->i_mount))) {
> > > + if (unlikely(di_size < 0 ||
> >
> > But the di_size is initialized to ZERO while allocating a new inode on disk.
> > I wonder if that is better to ASSERT in this case because the current check
> > is used to make sure that the item is inlined, or we don't need it at all.
>
> Hmm. Dan's additional check looks good to me. In this case I'd say the forced
> shutdown is more appropriate than an assert, because here we're reading the
> inode from disk, as opposed to looking at a structure that is already incore
> which we think we've initialized. We want to handle unexpected inputs from
> disk without crashing even if we are CONFIG_XFS_DEBUG.
There are lots of places where we only check di_size to be greater
than some value, and don't check for it being less than zero. Hence
I think that a better solution might be to di_size unsigned as that
will catch "negative" sizes for all types of situations.
We've got the same problem in the userspace code as well and so
treating the size as unsigned will stop such validation problems
everywhere....
Cheers,
Dave.
--
Dave Chinner
david@fromorbit.com
next prev parent reply other threads:[~2013-08-15 22:26 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-15 5:53 [patch] xfs: check for underflow in xfs_iformat_fork() Dan Carpenter
2013-08-15 10:10 ` Jeff Liu
2013-08-15 14:37 ` Ben Myers
2013-08-15 15:47 ` Dan Carpenter
2013-08-15 22:26 ` Dave Chinner [this message]
2013-08-23 17:36 ` Ben Myers
2013-08-26 14:37 ` Dan Carpenter
2013-08-26 16:12 ` Ben Myers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130815222650.GX6023@dastard \
--to=david@fromorbit.com \
--cc=bpm@sgi.com \
--cc=dan.carpenter@oracle.com \
--cc=elder@kernel.org \
--cc=jeff.liu@oracle.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=xfs@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox